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Abstract 

We count the number of isogeny classes of Edwards curves over finite fields, 
answering a question recently posed by Rezaeian and Shparlinski. We also 
show that each isogeny class contains a complete Edwards curve, and that an 
Edwards curve is isogenous to an original Edwards curve over Wq if and only 
if its group order is divisible by 8 if q = —1 (mod 4), and 16 if q = 1 (mod 4). 
Furthermore, we give formulae for the proportion oi d € Wq \ {0, 1} for which 
the Edwards curve Ed is complete or original, relative to the total number of d 
in each isogeny class. 

1 Introduction 

In 2007 Edwards proposed a new normal form for elliptic curves over a field k of 
characteristic 7^ 2 [6j, namely: 

Ea{k):x^ + y^ = a\l + xV), (1) 

for 7^ a. Bernstein and Lange generalised Edwards' form to incorporate curves 
of the form 

E{k) : + y2 = ^2(^1 + dx'^y'^), 

which is elliptic if ad{l - da^) ^ [3\. All curves in the Bernstein-Lange form are 
isomorphic to curves of the following form, referred to as Edwards curves: 

Ed{k):x'^ + y'^ = l + dx'^y'^. (2) 

Edwards curves over finite fields are of great interest in cryptography since the ad- 
dition and doubling formulae are: unified, which protects against some side-channel 
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attacks [H Chapters 4 and 5]; complete when d is a non-square, which means the ad- 
dition formulae work for all input points; and are the most efficient in the literature. 
Bernstein et al. have also considered twisted Edwards curves [2]: 



Ea^dik) ■.ax'^ + y^ = l + dx^y^ 



(3) 



which includes more curves over finite fields than does Edwards curves. 

Rezaeian and Shparlinski have computed the exact number of distinct curves of 
the form ([T]) and ([2]) over a finite field Wq of characteristic > 2, up to isomorphism 
over the algebraic closure of Wg However they state that counting the number 
of distinct isogeny classes over Wq for these curves is a very natural and challenging 
question. 

In this paper we answer this question fully for fields of characteristic > 2. Our 
starting point is interesting in that it was serendipitous, beginning with an incidental 
empirical observation. When searching for suitable parameters for elliptic curve 
cryptography, for curves of the form ([2]) , we observed that over a finite field IFp with 
p = 1 (mod 4), it (empirically) holds that 



and hence by Tate's theorem [16], and Ei-d should be isogenous over IFp. 

In the course of proving the above observation using character sum identities, 
we discovered that the Edwards curve Ed is isogenous to the Legendre curve: 



With explicit computation one sees that this isogeny has degree two, and so E^ 
inherits a set of 4-isogenies from the well-known set of isomorphisms of L^, each as 
the composition of the 2-isogeny to L^, an isomorphism of to L^', and the dual 
of the 2-isogeny from E"^/ to L^'. In particular E^/Wp is 4-isogenous to i?i_d/Fp 
for p = 1 (mod 4). More generally, for E^ over any finite field IF^ one obtains 4- 
isogenies to Ei_d, ^i/^, Ei_i/d, and Ed/(^d-i), being defined over Wq or Wq2 

depending on the quadratic character of —l,d and 1 — d in Wq. 

We later learned that the above 2-isogeny is merely a special case of Theorem 5.1 
of [2], which states that any elliptic curve with three IFg-rational 2-torsion points 
is 2-isogenous to a twisted Edwards curve of the form ([3]). However the explicit 
connection with the Legendre curve and the consequent ramifications contained 
herein has — to the best of our knowledge — not been made before. 

Using the explicit connection with Legendre curves, counting the number of 
isogeny classes of Edwards curves is straightforward; we use a recent result due to 
Katz [11], who studied the isogeny classes of Legendre curves. In doing so, we also 
count the number of supersingular parameters d for Edwards curves. We then prove 
the existence of complete Edwards curves in every isogeny class, providing formulae 
for the proportion of d G Wq \ {0, 1} for which Ld — and hence Ed — is complete. 



#Ed{Wj,) = #i?i_rf(Fp), 




(4) 
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relative to the total number of d in each isogeny class. This total be computed via 
a Deuring-style class number formula derived by Katz [TT], and hence for a given 
trace one can compute the number of complete Edwards curve parameters d. 

We also address the distribution of original Edwards curves ([I]) amongst the 
isogeny classes of Edwards curves. For q = —1 (mod 4) this follows from our result 
on complete Edwards curves, but for q = 1 (mod 4) we express the proportion of 
such curves in a given isogeny class using a set of remarkable ratio results due to 
Katz [11]. Whilst we believe our results may be proven succinctly using a variation of 
Katz's approach, our arguments for the proportion of complete and original Edwards 
curves rely only on explicit bijections between sets of curves of different parameter 
types, and are thus entirely elementary. 

Notation: For two elliptic curves over a field k, we write E ^ E' when E is isogenous 
to E' over /c, and E = E' when E is isomorphic to E' over the algebraic closure of 
k. Throughout the paper, IFp refers to a finite field of prime cardinality p and Wq to 
an extension field of cardinality q = p™, where m > 1. Also, if the field of definition 
of a curve or map is not specified, it is assumed to be a field of characteristic 7^ 2. 



2 A point counting proof of Edi^q) ~ L^i^q) 

It is well known that the elliptic integral 

p[x) 



zdx, 

where p{x) S ]R(x) is a rational function and q{x) G ]R[x] is a quartic polynomial, 
can be reduced to 

"^^dx 
V9i(a;) 

for a rational function pi{x) £ ]R(x) and a cubic polynomial qi{x) G lR[x] provided 
that one knows one of the roots of q{x) \19\ Chapter 8]. 

The finite field analogue of this fact is the following result of Williams |21] . 



Lemma 2.1. fgjj/ Let q be an odd prime power and let Wq denote the finite field 
with q elements. Suppose that F{x) is a complex valued function from Wq to C and 
also let X2(") denote the quadratic character ofWq. Also let Z denote the zero set 
of a2X^ + b2X + C2. Then 

E H 7S:tTl ) = Ex.(0.^ + A. + .)F(.) (5) 



, 022; + box + Co , _ 



0, otherwise., 
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where oi, 61, ci, 02, 62, C2 G ^q, 

D = hl- 4a2C2, A = 4aiC2 - 26162 + 4a2Ci, d = b\- 4aiCi, (6) 

and 

- 4dZ) / 0. 

In the following we use the lemma above to show that Ed{¥q) is isogenous to 
Lci{¥q). First notice that the given singular model for Edwards curves ([2]) has two 
points at infinity which are singular and no affine singular points, and resolving the 
singularities results in four points which are defined over Fg if and only if d is a 
quadratic residue in Fg [3]. Thus the non-singular model of Ed(¥q) has 2 + 2x2{d) 
points more than the singular model of £'rf(Fg), and hence if we rewrite the curve 
equation of as 

then 

#E4¥q) = 2 + 2x2{d)+ + 



2 + 2x2{d)+q-{l + X2id))+ ^ X2 

^2 



dx^ — 1 



= q + l + X2{d)+ Y ^H^^j. (8) 

Now on the one hand by applying Lemma |2. II with F{x) = X2ix), we get 
Y X2 ( ^^2~_\ ) = 5^ X2(4(ix2 - (4 + 4(i)x + 4)x2(x) 

+ Y ^2(2^) - X2{d) 
xeWq 

= X] ^2((2; - l)((ix - l))x2(2;) - X2(d) 

xeWq 

= ^ X2(x(x-l)(x-d))-X2(tZ), (9) 
xeWq 

and on the other hand we have 

#Lrf(Fg) =q + l+Y, X2{x(x - l)(x - d)), (10) 

where — X^xeF, X2(a^(l — x)(2; — d)) is the trace of the Frobenius endomorphism. 
Thus comparing Q, (fTOj) we have: 
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Theorem 2.2. The Edwards curve Ed{¥q) and Legendre curve Lfi{¥q) are isoge- 
nous. 

Lemma 12.11 can be viewed as a means of establishing isogeny relations between 
curves defined by relations such as 

2 aix'^ + bix + ci 

and curves defined by = x{Dx'^ + Ax + d). In ^ we show how to derive an 
addition law for curves of the form (jlip and prove resuhs similar to those presented 
in the intervening sections. 

3 4-isogenies of Ed 

In this section we detail how to compute exphcit 4-isogenies for E^, starting with the 
2-isogeny from Ed to and its dual. We then detail the well-known isomorphisms 
of Ld and compose these maps to form the desired 4-isogenies. 

3.1 Explicit 2-isogeny ipd'- Ed ^ Ld 

We now derive a 2-isogeny from Ed to Ld, as presented in the following result. 
Theorem 3.1. Let {x, y) G Ed- Then ipd '■ Ed ^ Ld 



' x(l — 2/2) / 

is a 2-isogeny. The dual of ipd is Tpd ■ Ld ^ Ed : 

2y y'^-x'^{l-d) 



{x,y) ^ 



d — ' y2 + (1 — d) / 



Note that ipd is defined on all points of Ed except the kernel elements (0,ibl), 
which map to O € Ld- 

Proof. One has the following birational transformation r 
T{x,y) = [l-d)- ,il-d) 



1 - y' x(l - y)J ' 

from Ed to the Weierstrass curve 

Wd:y'^ = x^ + 2(1 + d)x'^ + (1 - dfx, 

with inverse 

_i /2x x-{l-d) \ 

T x,y)= — ,— — — . 

\y x+{l-d)J 
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While T is not defined for the points (0, ±1) S E^, one obtains an everywhere- 
defined isomorphism between the respective desingularized projective models by 
sending (0,1) to O G Wd and (0,-1) to (0,0). Similarly, is not defined at 
points {x, y) S Wd satisying y(x + 1 — d) = 0, but if d is a square the points other 
than (0, 0) map to points of order 2 and 4 at infinity on the desingularisation of Ed 
(see the discussion on exceptional points after Theorem 3.2 of [2J). The 2-isogeny 
used in the proof of Theorem 5.1 of [2j now maps Wd directly to Ld via 

(y^ y{{l-df-x^) \ 

with dual 

One can verify that the compositions (pd ° t and t o <pd give the stated V'd and ■i/'d 
respectively. □ 



3.2 Isomorphisms of Ld 

The set of isomorphisms of Ld are induced by the two involutions ai{d) = 1 — d and 
(T2(d) = 1/d, which induce the following maps from Ld to Li-d and Li/d respectively: 

cJi : Ld — > Li_d- {x,y) ^ {I - x,^/^y), (12) 
(72: Ld^Lyd-(.x,y)^{x/d,y/d'^/^). (13) 

As transformations acting on a given field, the group generated by o"i,a"2 is: 

H = {l,cri,a2,ai(T2,cr2(Ji,(Ji(T2(Ti}, 

which is isomorphic to the symmetric group 53. The orbit of d ^ 0,1 under the 
action of H is 

which has 6 distinct elements provided that d is not a root of — d + 1 = or 
{d + l){d — 2){2d — 1) = 0. Hence we have isomorphisms between each pair of 
Ld, Li_d, Li/d, Li_i/d, and Ld/{d-i)- For completeness we give here the 

remaining three isomorphisms from Ld to L^(^d) not listed in (|12|) .(|13 p : 

o"i(T2 : Ld 
CJ2CT1 : Ld 

(Ti(T2cri : Ld 



L,_r:{x,y)^{l-x/d,^/^y/d^/^), (15) 

d 

^t^^("'^)^(t^'(i^I^)' 

/ \ ( X — d y \ 
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3.3 4-isogenies of Ed to -^^(d) 

Let a £ H. Then Wo-((i) '■ — )• E„(^d) is obtained as the fohowing composition: 

The 2-isogeny ^/'a-(d) can be obtained by taking tpd and substituting a{d) for d. We 
do not write down all possible 4-isogenies but note that whether each is defined 
over Wg or IFq2 is dependent upon the quadratic character of —l,d and 1 — d, as 
determined by maps ()12fll7p . For example, for q = 1 (mod 4) one has X2(— 1) = 1 
and so ai is defined over IF^ and Ed ~ Ei_d, which was our original observation. 
We note that the duals of each of these isogenies are also easily computed. 

3.4 4-isogenies of twisted Edwards curves 

One can also map twisted Edwards curves ([3]) to a Legendre form curve, as given by 
the following theorem, the proof of which is the same as the proof of Theorem 13. H 
one having first applied the isomorphism Ea^d — ^ Ed/a '■ {x,y) i— ?■ {^/ax,y). 

Theorem 3.2. Let {x,y) £ Ea^. Then ipa,d ■ Ea^ Ld/a ■ 

1 y{d - a) 



{x,y) H> 



ax"^ ' a^/2x(l — y'^] 



The dual of i)a,d is 4^a,d ■ Ld/a ^ ^a,d : 

2^/ay ay"^ — x'^ (a — d) 



{x,y) 



d — ax'^ ' ay2 + x'^{a — d) 



One therefore obtains a set of 4-isogenies from the isomorphisms of Ld/a^ exactly 
as before. 



4 Isomorphisms from Ld to Edwards curves 

In addition to the above 2-isogeny between Ed and L^, one can also consider when 
Ld is birationally equivalent to an Edwards curve, i.e., is isomorphic to an Edwards 
curve. Such isomorphisms have two immediate consequences. Firstly, for each such 
isomorphism one obtains a 2-isogeny of Ed to another Edwards curve Ed' via the 
composition of ipd and the isomorphism, see ^4.11 Secondly, one is able to deduce 
the set of Edwards curves isomorphic to Ed, see ^4.2[ 
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4.1 Isomorphisms from Ld to Ed 

Since Ld ■ = x'^ — {1 + d)x'^ + dx , one can transform Ld to the Montgomery curve 

Ma,b ■ By'^ = x^ + Ax^ + X 

with A = —(1 + d)/Vd, B = l/d^/d via (x,y) i— )■ {x/^/d,y). Using Theorem 3.2 
of [2] one then obtains 



X X 



Vd 



which is isomorphic to with d = ^ with 



y' x + Vd) ' 

Taking the negative root of d in the above transformations gives a second isomor- 
phism, which together we write as 

Pd,± : Ld Eg±i : {x,y) ^ ( V^{1 =F Vd)^ x =f Vd\ 



y' x±Vd 



We also have 
Pd 



.± : i?j±i ^ Ld : ix,y) ^ ( ±Vd\±^ , ±V^Vdil T Vd) ^ , ) ■ 

V x{l-y)J 

Clearly these isomorphisms are only defined over the ground field if both —1 and d 
are quadratic residues. 

Observe that the value d is invariant under the substitution d 1/d, hence the 
Lrf-isomorphic curve L^/^ maps to E^ also, but with the ± isogenies defined instead 

by 

Pi/d,± ■ Li/d E^±i : {x,y) ^ V^(l =F V'^/d)-, — ■ — 7= , 



y x± y/l/d J 



with inverse pi/d,± ■ -Ej±i Li/^ : 



(x, y) ^ ( ±^l±y, ± V^yT7d(l T Vl/d)- ^ + ^ 



Similarly, one can first map Ld to L^^^d) for any a £ H, and then apply p^^-i- but 
with the substitution d a((i) to give da{d),± '■ Ld — )• -^(T(d) ~^ ^^ViS 
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have twelve isomorphisms 0a{d),± from Ld to the six curves E^±i for i S {1,2,3}, 
with: 

As noted above the twelve isomorphisms have only the six image curves Et±i,Et±i 
and E^±i , since d and \/d map to di, \ — d and 1/(1 — d) map to ^2, and d/{d—\) and 
1 — 1/d map to da . These curves are therefore isomorphic and each has j-invariant 

2^{d^-d+lf 
{d{d-l)Y ' 

which is the Legendre curve j'-invariant jiid)- 

Taking the composition of •i/'d and an isomorphism from each of the six pairs of 
isomorphisms above — one from each pair that have the same image — one obtains 
2-isogenies of E^ to -Ej±i , -Ej±i and -Ejii , again defined over IFg or Wq2 depending on 
the quadratic charcter of —l,d and 1 — d, which we summarise in Theorem 14.11 We 
note that Moody and Shumow have independently given equivalent isogenies |12j . 
having obtained them using a different approach. 

Theorem 4.1. There exist 2-isogenies of Ed to E^±i , E^±i and Ej±i, given by the 
following maps, respectively: 

(a) e.,,, : Ed E,.. : (x,.) ^ (^^^W^i^, g^), 

(h) : Ed ^ E,^. : (x, y) ^ ((1 T VT^)xy, j^^^^) , 

(c) 6- ■E.-.E-^.-ix y)^(^MElTVl. 

Theorem 14.11 allows one to write down the set of 4-isogenies between Ed and any 
^(T{d) '^ia isogenies and isomorphisms of Edwards curves only: first map Ed — s- E^±i ; 
second apply an isomorphism to the relevant E^±i; and third use a dual isogeny 
to map to E„(^d)- However, since the Edwards 2-isogenies implicitly depend on the 
2-isogeny to Ld, the initial derivation given is perhaps the most natural way to view 
these 4-isogenies. 

4.2 Isomorphisms of Ed 

It is clear from §4.1l that the E^±\ curves inherit isomorphisms from the isomorphisms 
of Ld, whereas Ed inherits isogenies from the isomorphisms of Ld — in both instances 
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Ld plays a fundamental role. A natural question is whether or not it is possible to 
exploit the isomorphisms between Ei±i to give the set of curves isomorphic to E'rf? 

i 

Since the j-invariant of is [2\ 

. 16{d^ + Ud + If 

JEW = 



it would not seem obvious how to determine the set of isomorphic curves of from 
those of Lrf. However, one can argue as follows. As above let 5 = di{d) = ^ x"*^^ ) ' 
with di considered as a function of d. Observe that d = {di{6))~^ , and hence 

Ed = ^/i_y5\2- 

Since the curve on the right-hand-side is isomorphic to E^±i^gy ^d^^(5) ^"^^ ^d'^^(5)-> 
so is Ell. Writing these expressions out in full gives the following theorem. 

Theorem 4.2. Let Ed and Ed' he two Edwards curves. Then Ed — Ed' if and only 

These six values are naturally implied by Proposition 6.1 of Edwards original 
exposition [6j. In particular curve (1) is isomorphic to curve (2) via the map {x, y) i— t- 
{ax, ay), with d = a^. Taking the fourth power of each of the 24 values given in 
Edwards' proposition gives the six values listed in Theorem 14.21 It is however 
interesting that these values can be determined from the isomorphisms of alone. 
The above manipulations also show that E^ = Ls, via 



{x,y) 



'Vd+1 1 + y 2^/^{l + Vd) 1 + y 



Vd-1 1-y (l-Vdy x{l-y) 



Note that the existence of such an isomorphism is implied by the fact that jii^) = 
jE{d). 

5 The number of isogeny classes of Edwards curves over 
finite fields 

In this section we derive some results about Edwards curves from results known 
for the Legendre family of elliptic curves, which is well-studied. Having established 
the isogeny between E^ and in Theorem 13. H the validity of this approach is 
immediate. In particular we determine the number of isogeny classes of Edwards 
curve over the finite field F^, and in the course of doing so also detail the number 
of supersingular curves Ed{¥q). 
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For the Legendre curve L(i(Fg), we denote the trace of the Frobenius endomor- 
phism 

- ^ r/(x(x-l)(x-d)) (18) 

by A{d,¥q). Then Equation (flOl) imphes 

#Ld{¥g)=q+l-A{d,¥g), (19) 
and by the Hasse-Weil bound we have 

|^(d,F,)| <2^. 

Thus the number of isogeny classes of the Legendre family of elliptic curves is the 
same as the number of integer values of A with \A\ < I^Jq for which there is a d 
such that A{d^¥q) = A. The following two lemmata give a satisfactory answer to 
this question. The first addresses the number of ordinary isogeny classes and the 
second addresses the supersingular isogeny classes. 

Lemma 5.1. Let Fg he a finite field of odd characteristic, and let A ^'K he an 
integer prime to p (the characteristic of¥q) with \ A\ < I^Jq. If A = q+1 (mod 4), 
then there exists d G Fg\{0, 1} with A{d,¥g) = A. 

Lemma 5.2. 111^ Let p be an odd prime. Then we have the following assertions. 

(i) If q = j)2A:+i^ Liii¥q) is supersingular, then A{d,¥q) = 0. 

(ii) If q = p^^ , and Ld{¥q) is supersingular, then A{d,¥q) = e2p^ , where e = ±1 
is the choice of sign for which ep^ = 1 (mod 4) . 

Following Katz, we say that each A satisfying the conditions of Lemma 15.11 is 
unobstructed, for q. From the two lemmata above, the following is immediate. 

Corollary 5.3. If q = p^^+i andp = 1 (mod 4), then the number of isogeny classes 
of Edwards curves over F„ is 



+ 2 



Proof. The claim will follow if we prove that there is no supersingular Legendre 
curve in this case. Observe that i^Ld{¥q) is always divisible by 4, and if g = p"^^^^, 
p = 1 (mod 4) and Ld{¥q) is supersingular, then from Lemma I5.2l fi) and (fT9]) it 
follows that i^Ld = 2 (mod 4), which is impossible. □ 
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In order to obtain the number of isogeny classes of Edwards curves in the re- 
maining cases we need to know how the supersingular Legendre curve parameters 
are distributed amongst extensions of the prime subfield Wp of IF^; again, there is 
aheady a complete answer to this question in the literature. On the one hand, it 
is well known that Lrf(Fq) is a supersinular curve if and only if (i is a root of the 
Hasse-Deuring polynomial 



i=0 

and on the other hand it is well known that all the roots of Deuring polynomial are 
in Wp2 (see for example [H Proposition 2.2]). Using Theorem 13.11 and [1, Proposi- 
tion 3.2] the following is immediate. 

Theorem 5.4. The number Sp of Wp-rational roots of the Deuring polynomial, or 
equivalently the number of supersingular Edwards curves over JFp, satisfies 

(i) Sp = if and only if p =1 (mod 4) . 

(ii) ^3 = 1. 

(Hi) If p = 3 (mod 4) and p > 3, then Sp 
number of 'Q{\/—p)- 



3h{—p), where h{—p) is the class 



Corollary 5.5. Ifp = 3 (mod 4) and q = p^fc+i^ then the number of isogeny classes 
of Edwards curves over ¥g is 



+ 1. 





- 2 




4 




4p 



Proof. From Lemma 15.21 and Theorem 15.41 it follows that there is a single isogeny 
class of supersingular Legendre curves in this case. □ 

Similarly we have: 

Corollary 5.6. If q = p^^ for an odd prime p, then the number of isogeny classes 
of Edwards curves over ¥g is 



L2^J + 2 



L2v^J 
P 



+ 2 



+ 1. 



Proof. From the fact that all the roots of Hasse-Deuring polynomial are in ¥p2 
and from Lemma 15.21 it follows that there is a single isogeny class of supersingular 
Legendre curves in this case. □ 
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6 Isogeny classes of complete Edwards Curves 



Bernstein and Lange proved that the Edwards addition law is complete, i.e., is well- 
defined on all inputs, if and only if X2{d) = —1 A natural question to consider 
is whether there exists a complete Edwards curve in every isogeny class. In this 
section we answer this question affirmatively, relating the number of non-square 
d G Wq \ {0, 1} in each isogeny class to the total number of d in each isogeny class. 

6.1 Katz's ratio results 

While investigating the Lang- Trotter conjecture [lOj . Katz discovered some remark- 
able relationships between the number of d G IFg \ {0, 1} such that A(d, Wq) = 
q + 1 — #Ld = A for any unobstructed A, and the number of d G IFg \ {0, 1} such 
that A{d,Wq) = -A [llj. 

In particular, let A^(^) = #{d G Fg \ {0, 1}| Fg) = A}. Katz proved that 
for q = —1 (mod 4), one has N{A) = N{—A). For q = 1 (mod 4), this is no longer 
the case. Since A = 2 (mod 4), exactly one of A, — A has q + 1 — A = (mod 8) — 
call it ^ — with q + l + A = 4 (mod 8). Then N{A) > N{-A). Furthermore, for 
q = 5 (mod 8) the ratio r = N(A)/N{—A) is always one of the integers 2,3, or 5, 
depending only on the power of 2 dividing q + 1 — A, as given in: 

Theorem 6.1. /TT]. Theorem 2.8] Suppose q = 5 (mod 8). Then 

ord2{q +1-A) = 3^r = 2, 
ord2{q -M-A) = 4=^>r = 3, 
ord2{q + 1-A)>5^r = 5. 

For q = 1 (mod 8) the situation is more complicated. If ord2{q + 1 — A) = 3 
then r = 2 as before. Let A = — Aq. For the remaining cases we have: 

Theorem 6.2. Theorem 2.11] Suppose q = 1 (mod 8), and that ord2{q -|- 1 — 
A) > 4. Then ord2(A) > 6, and we have the following results. 

(1) Suppose ord2{A) = 2/c + 1,/c > 3. Then r = 5 - 3/2^~2_ 

(2) Suppose ord2{A) = 2k, k > 3. Then 

(a) if A/2'^'' = 1 mod 8, then r = 5, 

(b) if A/2'^'' = 3 or! mod 8, then r = 5 - 3/2'="^ 
(a) if A/2'^'' = 5 mod 8, then r = 5 - l/2''~^. 

To explain these phenomena, Katz uses the fact that L^i is 2-isogenous to the 
elliptic curve = (x + t)(x^ + x + t), t 0, 1/4, having a point (0,t) of order 
4 and where t = (1 — d)/4. Over the t-line, this family of curves with its point 
(0, t) is the universal curve given with a point of order 4. Using this property 



13 



Katz derives a Deuring-style class number formula to express the number of t G IF^ 
such that A{t, Wq) = A. Expressing the same for —A and then computing the 
ratio A^(^)/A^(— ^) happens to be far simpler than computing the exact numbers 
themselves, as it obviates the need to perform any class group order computations. 
However, in the proof no consideration was given (nor was it needed) of the quadratic 
character of elements t in a given N{A). Furthermore, since under this 2-isogeny we 
have t = (1 — d)/4, determining how the corresponding square and non-square d are 
distributed between the numerator and denominator of N{A)/N{—A) is certainly 
not immediate. 

However, we observed (empirically - and then proved) that the following holds. 
Let A''2(^) and Nn2{A) be the partition of N{A) into square and non-square d re- 
spectively, and similarly for —A. For q = 1 (mod 4), we have Nn2{A) = Nn2i—A) = 
N{—A), i.e., the smallest of the two values N{A), N{—A). Hence the excess of N{A) 
over N{—A) consists entirely of square d. For q = —1 (mod 4) we have 



Nn2iA) 



(n{A) iiq+l-A = 4: (mods) 
[N{A)/3 ifq + l-A = (mod 8). 



Since q = —1 (mod 4) we have Nn2{A) = Nn2i—A) in this case also. Our proof of 
these facts is elementary. 

6.2 Proof of claims 

We use the following three lemmata, the first of which can be found in [20' Theorem 
8.14] (see also [El X, Sect. 1]): 

Lemma 6.3 (2-descent). Assume char(Wq) > 2, and let E(Wq) be given by y"^ = 
(x — a){x — f3){x — 7) with a, /3, 7 G IF^, a 7^ /3 7^ 7 7^ a. The map 



defined by 



{x, y) I—)- (x — a, X — /3, X — 7) when y ^ 

O ^ (1,1,1) 
(ei,0) 1-^ ((ei - e2)(ei - e3),ei - 62,61 - 63) 

(62,0) l-> (62 - 61, (62 - 6i)(e2 - 63),62 - 63) 
(63,0) 1-^ (es - 61,63 - 62, (63 - 6i)(63 - 62)) 

is a homomorphism, with kernel 2E(Wq). 

Applying Lemma [6.31 to the 2-torsion points (0,0), (1,0) and {d,0) of Ld(iFq), 
one can compute the possible 4-torsion groups L£;(Fg)[4], which depend only on 
X2(— 1), X2(c?) and X2(l — d), giving the following result. 
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Table 1: q = 1 mod 4 



X2{d) 


X2(l- 


d) 


(Ld(F,)[2]n2L^(Fg))\{0} 


^d(F,)[4] 


1 


1 




(0,0),(l,0),(d,0) 


2/42 X 2/42 


-1 


1 




(1,0) 


2/42 X 2/22 


1 


-1 




(0,0) 


2/42 X 2/22 


-1 


-1 






2/22 X 2/22 


Table 2: q = -I mod 4 




X2(l- 


d) 


(Ld(F,)[2]n2Ld(Fg))\{0} 




1 


1 




(1,0) 


2/42 X 2/22 


-1 


1 




(1,0) 


2/42 X 2/22 


1 


-1 




(d,0) 


2/42 X 2/22 


-1 


-1 






2/22 X 2/22 



Lemma 6.4. For q = ±1 mod 4, the possible A-torsion groups L(i(Fq)[4], are those 
detailed in Tables 1 and 2 respectively. 

We also use the following easy result, the first part of which was also used by 
Katz [11, Lemma 2.3]. 

Lemma 6.5. For d G F^ \ {0, 1} we have: 

(i) A{d,Wq) = x2{-l)-A{l-d,Wq), 

(ii) A{d,Wg) = x2{d)-A{l/d,Wg). 

Proof. These are immediate consequences of isomorphisms (jl2p and ()13p . □ 

We are now ready to prove our observations. 

Theorem 6.6. For q = 1 (mod 4), let A be such that q + 1 — A = (mod 8) (and 
soq + l + A = A (mod 8)^. Then iV„2(^) = Nn2{-A) = N{-A). 

Proof. From Table 1 we see that for any square d, L^i^Fq) contains a subgroup of 
order either 8 or 16. As g + 1 + ^4 = 4 (mod 8), by Lagrange's theorem we must have 
N2{—A) = . Hence all d counted by N(—A) are necessarily non-square, and since 
by Lemma 1 5. II everv unobstructed A occurs, we have Nn2i—A) = N(—A). Since 
Fg \ {0, 1, —1} partitions into a disjoint union of pairs {d, 1/d}, by Lemma l6.5( ii) 
for non-square d we have a bijection between the elements counted by Nn2{—A) and 
those counted by Nn2{A), and hence these numbers are equal. □ 
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Theorem 6.7. For q 



1 (mod 4), we have 



Nn2{A) 



N{A) ifq + l-A = A (mod 8) 
N{A)/'i ifq + l-A = {) (mods). 



Proof. We show that the resuh is true in each isomorphism class. First, assume 
jiid) 7^ 0, 1728, so that each isomorphism class contains the six distinct elements 
in (I14p . From Table 2 we have that for any square d, L^i^q) contains a subgroup 
of order 8. Hence if #L(i(iFq) = q + l — A = A (mod 8), by Lagrange's theorem 
we must have A^2(^) = 0- Hence all d counted by N(A) are non-square, and since 
every unobstructed A occurs, we have Nn2{A) = N{A). This proves the first part 
of the theorem. For the second part, we shall show that for each A for which 
q + 1 — A = (mod 8), square d occur twice as frequently as non-square d in the 
counts for both A^(^) and N(—A). Abusing notation slightly, when A(d,Wq) = A 
we write d S N(A), and simlarly for N(—A). 

Let #Ld{JFq) = q + 1- A = (mod 8). Then by Sylow's 1st theorem, Ld(Fg) 
contains a subgroup of order 8, and hence Lrf(IFq)[8] contains at least 8 points. By 
Table 2, we can not have X2(d) = X2(l - d) = -1, since Lrf(Fg)[4] = '2.2 x '2.2 = 
Ld(Fg)[2] and hence |L(i(Fq)[2*]| = 4 for i > 2. Hence we have three possibilities 
for {x2{d),X2{l-d)). 

Let X2id) = 1 with d £ N{A). Then by Lemma ESl^ii) , 1/d e N{A) also. By 
Lemma l6.5l fil. 1 — d,l — 1/d G N{—A). If X2(l ~ d) = —1 then by Lemma 16.5^ 11) we 
have 1/(1 - d) e A^(^), and d/{d - 1) e N{-A). Hence {d, 1/d, 1/(1 - d)] G N{A) 
and {1 — d, 1 — l/d, (i/(d— 1)} G N{—A), and there are two squares and a non-square 
in each set, as asserted. If X2(l — d) = 1 then by Lemma l6.5( ii) we have instead 
1/(1 -d) G N{-A), and d/(d - 1) G A^(^). Hence {d,l/d,d/(d - 1)} G N{A) and 
{1— d,l — l/d,l/(l— d)} gA^(— A), and again there are two squares and a non-square 
in each set. Finally, if X2(d) = —1 and X2(l— d) = 1, by Lemma [6. 51 again we see that 
ifd G N{A) then {d, l-l/d,d/(d-l)} G N{A) and {1/d, 1-d, l/(l-d)} G N{-A). 
In ah cases N2{A) = 2Nn2{A) and iV2(-^) = '^Nn2{-A), and the second part of 
the result follows for these isomorphism classes. 

If jtid) = 1728, i.e., if d = 2, 1/2, —1, it is easy to see that Lemma 16.51 implies 
that the trace of Frobenius is zero in all cases. Now X2(2) = — 1 if g = 3 (mod 8) and 
is 1 if g = 7 (mod 8). In the first case, g -|- 1 — = 4 (mod 8) and this isomorphism 
class contributes three elements to A'„2(0) and hence iV(0). In the second case 
g -|- 1 — = (mod 8) and this class contributes two squares and one non-square to 



If jiid) = then d^ — d -|- 1 = 0, i.e., d and 1/d are primitive 6-th roots of 
unity over F^, which are in Wg iff q = 1 (mod 6). Since q = —1 (mod 4) we must 
have q = 7 (mod 12). In particular, Wg does not contain any 12-th roots of unity 
and hence X2(d) = —1. Since 1 — d = 1/d, we have X2(l — d) = X2(l/d) = — 1, 
and so by Table 2, Ld{Wg)[A] ^ x Z2 and hence #Ld{Wg) = q + l- A = 4: 
(mod 8) by the above argument. By Lemma [631f ii). A{d,Wg) = —A{l/d,JFg) and 



iV(0). 
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this isomorphism class contributes one element to Nn2{A) and hence N(A), and one 
element to Nn2{—A) and hence N(—A), whenever this isomorphism class is defined 
over Wq. □ 



Since by Lemma |5. II we have N{A) > for every unobstructed integer A for a 
given q, we thus have the following. 

Corollary 6.8. Let A be an unobstructed integer for q. Then there exists at least 
one quadratic non-residue d G IFg \ {0, 1} such that ^EdiWq) = q + \ — A, and hence 
there is a complete Edwards curve in every isogeny class. 

Theorems 16.61 and 16.71 allow one can compute Nn2iA) given N(A), which can be 
computed using Katz's Deuring-style class number formula [11]. In fact for 9=1 
(mod 4), the formula for A^(— ^4) is far simpler than that for N{A), while for q = — 1 
(mod 4), N{A) and Nn2{A) are either equal or differ by a factor of 3. 

To conclude this section, we note that Morain has independently proven the 
following [13\ Theorem 17]. 

Theorem 6.9. LetE(Wp) : y'^ = x^+a2x'^+aiX+aQ have three Wp-rational2-torsion 
points. Then there exists a curve E'(JFp) isogenous to E(Wp) that is birationally 
equivalent to a complete Edwards curve. 

Therefore, if such a curve E(Wq) exists in every isogeny class whose group order 
is necessarily divisible by 4 = |£'(]Fq)[2]|, then Theorem 16.91 implies Corollary 16. 8t 
Theorem 12.21 provides the missing condition. Furthermore, Morain's proof is con- 
structive, in that from such a curve E one can explicitly compute a set of isomor- 
phism classes of complete Edwards curves, based on the structure of the volcano of 
2-isogenies of E. 

7 Isogeny classes of original Edwards curves 

As stated in §4.21 curves in Edwards' original normal form ([T]) are isomorphic to 
the Bernstein-Lange form ([2]) via (x,y) i— )• {ax, ay), with d = a^. Two natural 
questions to consider are whether or not there exists an original Edwards curve 
in every isogeny class, and more specifically how are the original Edwards curves 
distributed amongst the isogeny classes? In this section we present answers to both 
these questions. 

We begin with some definitions. For any unobstructed A for q, let A^4(^) and 
N2n4:{A) be the number of d G that are fourth powers, and squares but not 

fourth powers, respectively. For any such A we thus have 

N{A) = Nn2{A) + N2nM) + ^M)- (20) 

Furthermore let X4(") denote a primitive biquadratic character of Fg, so that Xi^d) = 
1 if and only if there exists an a G IFg such that d = a^. 



17 



7.1 Determining Ld{Wg)[8] 

In the ensuing treatment, we will need to know the possible 8-torsion subgroups of 
L(i{Wg). The structure of the 4-torsion was determined by analysing the halvability 
of the 2-torsion points, using Lemma 16. 3i Similarly, one can apply Lemma 16.31 to 
the elements of Lf;(Fq)[4] \ L(;(Fg)[2] to determine the structure of the 8-torsion. 

Over the algebraic closure of Wq there are twelve points of order four; two for 
each of the three 2-torsion points (0,0), (1,0) and (d, 0): 

P(o,o),± = {±Vd,V^Vd{iTVd)), 

P(i,o),± = {l±Vl-d,Vl-d{l±Vl-d)), 
P(rf,o),± = (d ± Vdid - 1), Vd{d -l)iVd± Vd^)), 

along with their negatives (note that one can also prove Lemma 16.41 using these 
expressions). Applying Lemma 16.31 to these points gives: 

Lemma 7.1. The following conditions are both necessary and sufficient for the 
poinfo P(o,o),±; ^(1,0), ± '^''T'd P{d,o),± respectively, to be halvable: 

(i) Pm,± e 2Ld(Fg) ^ ±Vd, ±Vd - 1, ±Vd -de {W^ f, 

(ii) Pim,± e 2Ld(Fg) ^ 1 ± VT^, ±VT^, 1 ± -d£ iW^)^ 

(ill) P^d,o),± e 2Ld(F,) ^ d±^did - l),d±^did - l)-l,±^did - 1) G (W^f. 

7.2 The case q = -1 (mod 4) 

This is the simplest case, giving rise to the following theorem: 

Theorem 7.2. If q = —1 (mod 4), then the following holds: 

(i) Let G F, \ {0, 1}. Then #La4(Fg) = p+l-^ = (mod 8). 

(ii) Conversely, ifq+1— A = Q (mod 8) then there exists G Fg \ {0, 1} such 
that #L^4{Wq) = q+l- A. 

(Hi) Ifq + l-A = (mod 8) then Ni{A) = N2{A) = 2N{A)/3. 

Proof. Since is a square, by Table 2 we have LQ4(Fg)[4] = ^4 x ^2, and hence 
by Lagrange's theorem we have 8 | ^L^4{Wq). This proves (i). Now let A be 
any unobstructed integer satisfying q + 1 — A = (mod 8), and consider the set 
of all curves Lrf(Fg) counted by A^(^). By Lemma l5.ll this set is non-empty. By 
Theorem 16.71 we have N2{A) = 2N{A)/3. Furthermore, since q = — lmod4, the 
map I—)- x"^ is an automorphism of the set of squares in Fg \ {0, 1}, and hence 
N4^{A) = N2{A). This proves (Hi) and hence (ii). □ 
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7.3 The case q = 1 (mod 4) 

We have the following theorem, which is proven in the remainder of this section: 

Theorem 7.3. If q = 1 (mod 4), then the following holds: 

(i) Let G \ {0, 1}. Then #L„4(Fg) = q + l- A = Q (mod 16). 

(ii) Conversely, ifq + 1 — A = Q (mod 16) then there exists G Wq \ {0, 1} such 
that #Lai{Wq) = q + l- A. 

(Hi) Ifq + 1-A = (mod 16) then N^A) = N{A) - 2N{-A). 

Note that the implication in (Hi) is equivalent to N4{A)/N{A) = 1 — 2/r, where 
r is Katz's ratio N{A)/N{—A). Using Theorem 16.61 and (|2Up . this is equivalent to 
N^A) = Nn2{A) + N2nA{A) + N^iA) - 2Nn2{A), or 

N2ni{A) = Nn2{A). (21) 

Equation ()2ip in fact holds for all A such that q + 1 — A = (mod 8), and seems 
to be non-trivial. We will prove it by constructing a bijection between the sets of 
curve parameters of each type. Once this equality is proven, part (ii) follows easily. 

The idea behind the proof of Equation (|2ip is a natural extension of the bijection- 
based proofs of ^ , which used the isomorphisms given in Lemma 16.51 Rather than 
use isomorphisms defined over Wq, which are isogenics of degree one, we use isogenics 
of degree two. In particular we consider the isomorphism classes of curves arising 
from two 2-isogenies of L^: the first being "divide by the 2/22 generated by (0, 0)" 
when d G A'^2ri4(^)j and the second being "divide by the 2/22 generated by (1,0)" 
when d G Nn2{A), which are dual to one another. We begin with a short proof of 
part (i). 

Proof of (i): Let d = a^. Since X2{d) = 1, by Table 1, if X2(l — d) = 1 then 
Lrf(Fg)[4] = 24 X 24 and hence 16 | #Lrf(Fg). If X2(l - d) = -I then by Table 
1 neither of (1,0) or (d, 0) are halvable, and we claim that precisely one of -P(o,o),± 
is halvable. As X2(— 1) = Ij by Lemma 17. 1^ -P{o,o),+ is halvable if and only if 
^fd, Vd — 1 are both square, while P(o,o),- is halvable if and only if —Vd, —\fd — 1 
are both square. Since X4 (d) = 1, both ±\/d are square. Furthermore, as 1 — d = 
(1 + Vd){l -Vd) = {-Vd -l){Vd- 1), precisely one of these factors is square as 
X2(l — rf) = — 1 by assumption. This gives rise to a point of order 8. Therefore 
F(;(Fg)[8] = 28 X 22 and hence 16 | #L^(Fq) in this case too. This completes the 
proof of (i). 

We now exhibit a bijection to prove (j2ip . assuming q + 1 — A = (mod 8). 

Lemma 7.4. Let A satisfy q + 1 — A = (mod 8). Then there exists an injection 
fromN2nAiA) to Nn2{A). 
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Proof. Note that if d G N2n4:iA) then by Table 1 we necessarily have q + 1 — A = 
(mod 8). Let U ■ Ld ^ La/ {{0,0)) and let E'^ = UiLd)- Using Vein's formula [17], 
E^"' has equation y2 = -{d+l)x^ -Adx+U{d+l) = (x-(d+l))(x-2\/d)(x+2\/d), 
and 

id{x,y) = (x + d/x,y{l - d/x^)). 

In particular, (1, 0), (d, 0) G Ld are both mapped to {d+ 1, 0) G i?'^, and hence Ld is 
isomorphic to E'^/{{d + 1,0)). 

Labelling the abscissae of the order 2 points of E'^ by ei = d + 1, 62 = 2-v/d and 
63 = — 2\/d, one sees ([20]) that E''^ has six isomorphic Legendre curves, each given 
by a permutation of (61,62,63) with paramater A = (63 — 61) /(62 — 61), and 

X, y) ^ , — . 

Ve2-6i (e2-ei)'^/^y 

Each of these isomorphisms is defined over IFg if and only if A G Wq and X2(62 — ei) = 
1 |20j . For d G N2n4{A), the two iiJ'^-isomorphic Legendre curves used in the bijection 
are given in Table 3. 



Table 3: Lrf/((0, 0)) -isomorphic Legendre curves in Nn2{A) for d G N2ni{A) 



161,62,63] 



A 



(62 - ei) 



X2(62 - ei) 



{2y/d,d+l,-2y/d) 
{-2Vd,d + l,2Vd) 



-4y/d 
(1-V^)2 



(1 - Vd)^ 

(1 + \/d)2 



Observe that Xi{d), X2{d) G Nn2iA) since Xiid) 7^ 1. Note also that Xi = 1 — 6, 
with 6 as given in m.2\ and hence this isomorphism class is precisely that of Ed] 
indeed we have jii^) = jE{d). Thus E'^ = Ed, explaining our choice of notation. 



Abusing notation slightly, we refer to the isomorphisms E 



L\^{d) and E'^ 



Lx^^d) by Xi{d) and A2(d) respectively. Note that both Ai(d) and X2{d) map {d + 
1,0) G E'^ to (1,0) G Lxi(^d)^L\2(d)- Furthermore, if d is replaced with 1/d in Table 
3, then each Xi{d) remains invariant. Hence ^i/^ maps to Ai(d),A2(d) as well, via 
^i/d{Liid) = E^/^, and the point (1/(1+ 1,0) G E^^ maps to (1,0) G Lx,(d), Lx^id)- 
As 1/d £ N2n'i{A), this means we have a map from the pair {d, 1/d} C N2n4iA) to 
the pair {Xi{d), X2{d)} C A'^„2(^)- Note that d, 1/d are distinct, unless d = —1 and 
q = 5 (mod 8), in which case we have Ai(— 1) = A2(— 1) = 2 with X2(2) = —1 and 
hence 2 G Nn2iA). So in this exceptional case, we have an injection. 
In the general case we thus have two pairs of maps: 

Xi{d) o S,d ■■ Ld — > L> 



X2{d)oid-Ld — > L 
Ai(l/d) o^i/d : ^i/d — > L 
X2{l/d)oii/d: Lijd — > L 



-Ai(d), 

A2(rf)' 

Xi{l/d), 
Xiil/d), 
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with Lx^^i^d) — ^Xi{i/d) ^\2{d) — ^\2{i/d)- We claim the above four maps taken 
together form an injective map from pairs {d, to pairs {Ai(d), A2(c?)}. Indeed 
suppose that for d! G A^2n4(^) we have 

Ai(d') = \i{d) or A2(d), or A2(d') = \i{d) or A2(d). 

Then \fdl = ±\/d or -/df = ±.l/\fd, i.e., d' = d or d' = 1/d, and hence the map is 
injective on the stated pairs. □ 

Now consider the reverse direction, which is almost immediate. 

Lemma 7.5. Let A satisfy q + 1 — A = (mod 8). Then there exists an injection 

from Nn2{A) to N2n4{A). 

Proof. Let e G iV„2(^)- For q + 1 — A = (mod 8), by Table 1 we must have 
X2(e) = — 1 and X2(l — e) = 1- The only isomorphism defined over JFq in this case 
maps Lg — -^^e/(e-i) (see (15)). Therefore if e € Nn2iA), then G Nn2{A). 
Indeed X2{d) = Ai(d)/(Ai(d) - 1) (and Xi{d) = A2(d)/(A2(d) - 1)). 

Since Ai(d) and A2(£i) map the ^^-generating element {d+ 1,0) of E'^ to (1,0) in 
L^i and -^Ag (^^d similarly (l/d + 1,0) G E^/'^ to (1,0)), the dual of applied 
to the isomorphism class representative Lg is given by Le/((1,0)), and similarly 
for Le/(-g_x). Hence if e = Xi{d) or X2{d), then maps elements of Nn2{A) to 
the original isomorphism class of L^. We now analyse this map and identify which 
curves in the resulting isomorphism class are relevant. 

For the sake of generality let 7e : Lg — > Le/((1, 0)) and let = 7e(Le). Using 
Vein's formula F'^ has equation = — (e + l)^^ — (6e — 5)a; — 4e^ + 7e — 3 = 
(a; - (e - l)){x - (1 + 2VT^)){x - (1 - 2^1^)), and 

Note that 7e(0,0) = 7e(e,0) = (e - 1,0). For e G A'n2(^), the two FMsomorphic 
Legendre curves used in the bijection are given in Table 4. 

Table 4: Two Le/((1, 0))-isomorphic Legendre curves in N2n4:{A) for e G A'ji2(^) 
and g + 1 - ^ = (mod 8) 



(61,62,63) 




(62 - 61) 


(e-l,l + 2Vl-e,l-2Vl-e) 


W - (l+^j 


(1 + VI - er 


(e-l,l-2Vl-e,l + 2Vl-6) 


- (i_^j 


(1 - Vl - 6)2 



Observe that ^2(62 — 61) = 1 in each case, and the same is true for ^i(e), /Lt2(e). 
Furthermore, /ii(e), //2(e) are both in Ar2„4(^) since {l±^/T^^)/{l=f^/T^^) is not 
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square. Indeed, since 1— e is square, write 1— e = so that e = 1—6^ = (1+5)(1— 6). 
Therefore -1 = X2{e) = X2{l + h)x2{l-h) = X2(l + 6)/X2(l-6) = X2{{l + b) / {l-h)). 

Again abusing notation slightly, we refer to the isomorphisms — )• -^^^^(e) and 
-^At2(e) by //i(e) and ^2(e) respectively. Note that both //i(e) and /X2(e) map 
(e — 1, 0) G to (0, 0) G -^/ti(e)) ^H2{e)- Furthermore, if e is replaced with e/ (e — 1) 
in Tabic 4, then each ;^i(e) remains invariant. Hence Lg/(-g„i) maps to ;Ui(e), /i2(e) 
as well, via 7e/(e-i)(i>e/(e-i)) = and the point (e/(e - 1) - 1,0) G 

maps to (0,0) G L^j(e)) -^/i2(e)- e/(e — 1) G A^„2(^), this means we have a map 
from the pair {e, e/(e — 1)} C iV„2(^) to the pair {/xi(e), /X2(e)} C iV2n4(^). Note 
that e, e/(e — 1) arc distinct, unless e = 2 and q = 5 (mod 8), in which case we 
have Hi{2) = /Lt2(2) = —1 with X4(— 1) / 1 and hence —1 G A^2n4(^)- So in this 
exceptional case, we have an injection (in fact the inverse of the previous injection). 

In the general case we thus have two pairs of maps: 

Mi(e)o7e:Le — > ^t^i{e), 

^2(e)o7e:Le > Lfi2{e), 

m(e/(e - 1)) O 7e/(e-l) : ^e/(e-l) > i-^i(e/(e-l)), 

/X2(e/(e - 1)) O 7e/(e-l) : -^e/(e-l) > -^M2(e/(e-l)) > 

with L^^(e) = L^^(e/(e_i)) and L^2(e) = -^(U2(e/(e-i))- We claim the above four maps 
taken together form an injective map from pairs {e, e/ (e— 1)} to pairs {/xi(e), /X2(e)}. 
Indeed suppose that for e' G Nn2{A) we have 

/xi(e') = /xi(e) or /X2(e), or H2{e') = Hi{e) or /X2(e). 

Then e' = e or e' = e/(e — 1), and hence the map is injective on the stated pairs. □ 

We have thus proven: 

Theorem 7.6. Let A satisfy q + 1 — A = (mod 8). Then there exists a bijection 
between N2n4:{A) and Nn2{A). 

Furthermore, using the above definitions one can check that 

/^i(Ai(c?)) = /xi(A2(d)) = d, and /Lt2(Ai(c?)) = ii2{)^2{d)) = l/d, 
and similarly 

Ai(Mi(e)) = Ai(/X2(e)) = e/(e - 1), and X2{ni{e)) = A2(M2(e)) = e, 
and that 

(^2(Ai(d)) o 7Ai(d)) o (Ai(d) o ^rf) = [2] on L^, 

(^2(A2(d)) o 7A2{d)) ° (A2(d) o ?d) = [2] on La, 
(Ai(^i(e)) o ^^^(g)) o (^i(e) o7e) = [2] on Lg, 
(Ai(//2(e)) o ^^^(g)) o (//2(e) o 7e) = [2] on Lg. 
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Observe that if one substitutes d S N2nA{^) for e in the latter two maps, then 
one obtains 2-isogenies from Ld to L^^(rf),L^2(rf), however fj.i{d), fj,2{d) Nn2{A), 
so the bijection can only be used in the manner proven. So while the bijection 
principally relies on a 2-isogeny and its dual, this alone is insufficient; one needs to 
also consider the isomorphism class representatives used, which is natural given that 
we are considering Legendre curve parameters d rather than isomorphism classes of 
curves. 

With regard to Theorem 17.31 note that Theorem 17.61 directly implies Theo- 
rem [73)^iii). Let A be any unobstructed integer satisfying q + 1 — A = (mod 16), 
and consider the set of all curves L^(IFq) counted by N{A). By Lemma l5. II this set 
is non-empty. Theorems 16.11 and 16.21 show that for q + 1 — A = (mod 16) the ratio 
N{A)/N{-A) > 2 and thus N^^A) = N{A) - 2N{-A) > 0, which thus proves part 
{ii) and completes the proof. 



8 Curves defined using a ratio of two quadratics 

Following on from f|2] where we expressed the equation defining Ed in the form ([7]), 
in this section we briefly discuss curves defined using a ratio of two quadratic poly- 
nomials or a ratio of a quadratic and a linear polynomial. We demonstrate that one 
can derive an addition formula for these types of curves and prove for them results 
similar to the results of the preceeding sections. 



8.1 Ratio of two quadratics 

Let f{x) = aix'^ + bix + ci, g{x) = a2X^ + b2X + C2 G ^q[x] be as in Lemma [2Tt oi, a2 
both non-zero, and define a curve by the equation 

C/lF.:,'^ °'i + + (22) 

a2X^ + b2X + C2 

Notice that writing the curve equation as a ratio of two quadratics is just for the 
sake of the exposition and it is understood that C/¥q is the projective curve defined 
by the equation 

{a2X + b2xz + C2Z )y = aix z + bixz + C2Z . 
Now suppose that 

/(x) = ai(x - wi)(x - UJ2), 

and 

g[x) =a2{x- UJ3){x - UJ4). 

The conditions of Lemma l2.ll imply that 1^1,1^2,^3,^^^ are pairwise distinct. This 
implies that there is a linear fractional transformation 

U1X + U2 

: X H> ■ Ui £ ¥q, 

U3X + U4 
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which maps cji , > ^^3 , ^^4 to fi, —fi, — provided that the cross-ratio condition 



(a;2 - a;3)(a;i - a;4) + 
is satisfied (see [Chapter 4]|14j). The map (j) induces the map 

-U4X + U2 



u^x — Ui 



which in turn induces an isomorphism of the function field ¥q{C) and the function 
field of the curve E^, ¥q{E'^), where E^^ is defined by: 

9 x^ - L? 

y =-r^- 

E^^ is clearly isomorphic to the original Edwards curve ([T]). Thus Fg(C) is an 
elliptic function field and hence the desingularization of C yields an elliptic curve. 
One can obtain results similar to the ones proven in [6] for the curve C. For example, 
one can obtain an addition formula for the points on C by using the Edwards curve 
addition formula and the map 0, as (f) induces a group homomorphism between the 
group of points on C and the group of points on E^^. 

8.2 Ratio of a quadratic and a linear polynomial 

Now suppose that for the curve (|22]) we have 02 = 0, 62 / 0, giving the corresponding 
curve 

C'/W, : = + (23) 

h2X + C2 

Then there is a linear fractional transformation 

U^X + Uo I ==- 

(p:x^— ■ — r, Ui^Wq, 

u^x + 

which maps C to a curve of the form [22] defined by a ratio of two quadratics, and 
which induces an isomorphism between the function fields of C and a curve of the 
form[22j Thus our discussion in the previous section applies to curves defined using 
the ratio of a quadratic and a linear polynomial. 

8.2.1 HufT curves 

The Huff's model of elliptic curves introduced by Huff |8j which has recently cap- 
tured the interest of the cryptographic community [9l [22] can be transformed to one 
of the form (I23p . In particular, the Huff's curve, defined by the equation 

HaM/¥g ■■ ax{y^ - 1) = hy{x^ - 1), 
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is transformed to the curve 

2 bt"^ + at 
at + b 

by setting xy = t. Thus one can generate the Huff's curve addition law using the 
process outUned in the previous section. Furthermore, whenever a curve family is 
IFq-isomorphic to an Edwards or Legendre curve, one can deduce some properties 
of the isogeny classes. For example, we have |22j 

Ha,b - ^(a^\^ over Wg, 

\ a + b) 

and so applying Theorems 16.61 and 16.71 we conclude that for any unobstructed A, if 
q + 1 — A = (mod 8) then there exists a Huff's curve over IF^ with that cardinality. 
One can also apply the results of this paper directly to the Jacobi intersection 
family ^ 

+ = 1 and dx'^ + = 1, 
since this family has j-invariant jiid)- 

Remark 8.1. A new single-parameter family of elliptic curves was introduced in 
(amongst more than 50,000 others) defined by the curve equation 

Ax + x^ -xy'^ + 1 = 0, 

which enjoys a uniform x-coordinate addition formula. The curve equation can be 
rewritten as 

o x"^ + Ax + 1 

y = • 

X 

Hence one can obtain addition formula for this family of curves using the addition 
law of Edwards curves, although we do not claim that this method generates the most 
efficient group law. 

9 Concluding remarks 

We have identified the set of isogeny classes of Edwards curves over finite fields of 
odd characteristic, and have found the proportion of parameters d in each isogeny 
class which give rise to complete Edwards curves. Furthermore, we have identified 
the set of isogeny classes of original Edwards curves, and proven similar proportion 
results for this sub- family of curves. 

Although not included in the paper, by analysing the 4- and 8-torsion of Legendre 
curves, and using variants of the established bijections, we were able to prove parts 
of Katz's ratio theorems. We believe an interesting and challenging problem is 
whether or not the methods of this paper can be developed to provide an alternative 
proof for all parts of Katz's ratio theorems; and conversely, can Katz's methods be 
used to find relationships between A^2*(^) ^^"^ -^(^) similar to those proven in 
Theorems 16. 6^ \67l\ I7.2( iii) and l7.3( iii). for A; > 2 and q = l (mod 2'^)? 
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